CC: [email protected] CC: [email protected] CC: Linux Memory Management List <[email protected]> TO: Bart Van Assche <[email protected]> CC: "Martin K. Petersen" <[email protected]> CC: Daejun Park <[email protected]>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master head: 8d4b477da1a807199ca60e0829357ce7aa6758d5 commit: b1d5de8c6ea261667348424133a4f648ea48e7ca [3989/4668] scsi: ufs: Fix memory corruption by ufshcd_read_desc_param() :::::: branch date: 3 days ago :::::: commit date: 4 days ago config: x86_64-randconfig-c001-20210802 (attached as .config) compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 4f71f59bf3d9914188a11d0c41bedbb339d36ff5) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install x86_64 cross compiling tool for clang build # apt-get install binutils-x86-64-linux-gnu # https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b1d5de8c6ea261667348424133a4f648ea48e7ca git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git git fetch --no-tags linux-next master git checkout b1d5de8c6ea261667348424133a4f648ea48e7ca # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> clang-analyzer warnings: (new ones prefixed by >>) include/linux/rcupdate.h:604:31: note: expanded from macro 'rcu_dereference_bh' #define rcu_dereference_bh(p) rcu_dereference_bh_check(p, 0) ^ include/linux/rcupdate.h:543:2: note: expanded from macro 'rcu_dereference_bh_check' __rcu_dereference_check((p), (c) || rcu_read_lock_bh_held(), __rcu) ^ include/linux/rcupdate.h:390:2: note: expanded from macro '__rcu_dereference_check' RCU_LOCKDEP_WARN(!(c), "suspicious rcu_dereference_check() usage"); \ ^ include/linux/rcupdate.h:316:2: note: expanded from macro 'RCU_LOCKDEP_WARN' do { \ ^ net/decnet/dn_route.c:1255:3: note: Loop condition is false. Execution continues on line 1268 for (rt = rcu_dereference_bh(dn_rt_hash_table[hash].chain); rt; ^ net/decnet/dn_route.c:1278:8: note: Returning from '__dn_route_output_key' err = __dn_route_output_key(pprt, flp, flags); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/decnet/dn_route.c:1279:6: note: Assuming 'err' is equal to 0 if (err == 0 && flp->flowidn_proto) { ^~~~~~~~ net/decnet/dn_route.c:1279:6: note: Left side of '&&' is true net/decnet/dn_route.c:1279:23: note: Field 'flowic_proto' is 2 if (err == 0 && flp->flowidn_proto) { ^ include/net/flow.h:162:36: note: expanded from macro 'flowidn_proto' #define flowidn_proto __fl_common.flowic_proto ^ net/decnet/dn_route.c:1279:2: note: Taking true branch if (err == 0 && flp->flowidn_proto) { ^ net/decnet/dn_route.c:1282:7: note: Calling 'IS_ERR' if (IS_ERR(*pprt)) { ^~~~~~~~~~~~~ include/linux/err.h:36:9: note: Assuming the condition is true return IS_ERR_VALUE((unsigned long)ptr); ^ include/linux/err.h:22:34: note: expanded from macro 'IS_ERR_VALUE' #define IS_ERR_VALUE(x) unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO) ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/compiler.h:78:42: note: expanded from macro 'unlikely' # define unlikely(x) __builtin_expect(!!(x), 0) ^ include/linux/err.h:36:2: note: Returning the value 1, which participates in a condition later return IS_ERR_VALUE((unsigned long)ptr); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/decnet/dn_route.c:1282:7: note: Returning from 'IS_ERR' if (IS_ERR(*pprt)) { ^~~~~~~~~~~~~ net/decnet/dn_route.c:1282:3: note: Taking true branch if (IS_ERR(*pprt)) { ^ net/decnet/dn_route.c:1284:4: note: Null pointer value stored to 'rt' *pprt = NULL; ^~~~~~~~~~~~ net/decnet/dn_route.c:1287:2: note: Returning value (loaded from 'err'), which participates in a condition later return err; ^~~~~~~~~~ net/decnet/dn_route.c:1700:9: note: Returning from 'dn_route_output_key' err = dn_route_output_key((struct dst_entry **)&rt, &fld, 0); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/decnet/dn_route.c:1704:6: note: Assuming 'err' is 0 if (err) ^~~ net/decnet/dn_route.c:1704:2: note: Taking false branch if (err) ^ net/decnet/dn_route.c:1707:6: note: Assuming the condition is true if (rtm->rtm_flags & RTM_F_NOTIFY) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/decnet/dn_route.c:1707:2: note: Taking true branch if (rtm->rtm_flags & RTM_F_NOTIFY) ^ net/decnet/dn_route.c:1708:16: note: Access to field 'rt_flags' results in a dereference of a null pointer (loaded from variable 'rt') rt->rt_flags |= RTCF_NOTIFY; ~~ ^ Suppressed 14 warnings (14 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 13 warnings generated. drivers/acpi/event.c:31:2: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(event.device_class, dev->pnp.device_class); ^~~~~~ drivers/acpi/event.c:31:2: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(event.device_class, dev->pnp.device_class); ^~~~~~ drivers/acpi/event.c:32:2: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(event.bus_id, dev->pnp.bus_id); ^~~~~~ drivers/acpi/event.c:32:2: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(event.bus_id, dev->pnp.bus_id); ^~~~~~ Suppressed 11 warnings (11 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 6 warnings generated. Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 8 warnings generated. Suppressed 8 warnings (8 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 39 warnings generated. >> drivers/scsi/ufs/ufshcd.c:4898:27: warning: The left operand of '==' is a >> garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult] (b_lu_write_protect == UFS_LU_POWER_ON_WP)) ~~~~~~~~~~~~~~~~~~ ^ drivers/scsi/ufs/ufshcd.c:4892:6: note: Assuming field 'f_power_on_wp_en' is true if (hba->dev_info.f_power_on_wp_en && ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:4892:6: note: Left side of '&&' is true drivers/scsi/ufs/ufshcd.c:4893:6: note: Assuming field 'is_lu_power_on_wp' is false !hba->dev_info.is_lu_power_on_wp) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:4892:2: note: Taking true branch if (hba->dev_info.f_power_on_wp_en && ^ drivers/scsi/ufs/ufshcd.c:4894:3: note: 'b_lu_write_protect' declared without an initial value u8 b_lu_write_protect; ^~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:4896:8: note: Calling 'ufshcd_get_lu_wp' if (!ufshcd_get_lu_wp(hba, ufshcd_scsi_to_upiu_lun(sdev->lun), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:4864:7: note: 'b_lu_write_protect' is non-null if (!b_lu_write_protect) ^~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:4864:2: note: Taking false branch if (!b_lu_write_protect) ^ drivers/scsi/ufs/ufshcd.c:4871:11: note: Assuming 'lun' is < field 'max_lu_supported', which participates in a condition later else if (lun >= hba->dev_info.max_lu_supported) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:4871:7: note: Taking false branch else if (lun >= hba->dev_info.max_lu_supported) ^ drivers/scsi/ufs/ufshcd.c:4874:9: note: Calling 'ufshcd_read_unit_desc_param' ret = ufshcd_read_unit_desc_param(hba, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:3556:7: note: Calling 'ufs_is_valid_unit_desc_lun' if (!ufs_is_valid_unit_desc_lun(&hba->dev_info, lun, param_offset)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufs.h:583:7: note: 'dev_info' is non-null, which participates in a condition later if (!dev_info || !dev_info->max_lu_supported) { ^~~~~~~~ drivers/scsi/ufs/ufs.h:583:6: note: Left side of '||' is false if (!dev_info || !dev_info->max_lu_supported) { ^ drivers/scsi/ufs/ufs.h:583:19: note: Assuming field 'max_lu_supported' is not equal to 0, which participates in a condition later if (!dev_info || !dev_info->max_lu_supported) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufs.h:583:2: note: Taking false branch if (!dev_info || !dev_info->max_lu_supported) { ^ drivers/scsi/ufs/ufs.h:588:6: note: 'param_offset' is not equal to UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS if (param_offset == UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS) ^~~~~~~~~~~~ drivers/scsi/ufs/ufs.h:588:2: note: Taking false branch if (param_offset == UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS) ^ drivers/scsi/ufs/ufs.h:590:9: note: Assuming 'lun' is equal to UFS_UPIU_RPMB_WLUN return lun == UFS_UPIU_RPMB_WLUN || (lun < dev_info->max_lu_supported); ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufs.h:590:35: note: Left side of '||' is true return lun == UFS_UPIU_RPMB_WLUN || (lun < dev_info->max_lu_supported); ^ drivers/scsi/ufs/ufs.h:590:2: note: Returning the value 1, which participates in a condition later return lun == UFS_UPIU_RPMB_WLUN || (lun < dev_info->max_lu_supported); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:3556:7: note: Returning from 'ufs_is_valid_unit_desc_lun' if (!ufs_is_valid_unit_desc_lun(&hba->dev_info, lun, param_offset)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:3556:2: note: Taking false branch if (!ufs_is_valid_unit_desc_lun(&hba->dev_info, lun, param_offset)) ^ drivers/scsi/ufs/ufshcd.c:3559:9: note: Calling 'ufshcd_read_desc_param' return ufshcd_read_desc_param(hba, QUERY_DESC_IDN_UNIT, lun, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:3371:6: note: 'desc_id' is < QUERY_DESC_IDN_MAX if (desc_id >= QUERY_DESC_IDN_MAX || !param_size) ^~~~~~~ drivers/scsi/ufs/ufshcd.c:3371:6: note: Left side of '||' is false drivers/scsi/ufs/ufshcd.c:3371:40: note: 'param_size' is 1 if (desc_id >= QUERY_DESC_IDN_MAX || !param_size) ^~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:3371:2: note: Taking false branch if (desc_id >= QUERY_DESC_IDN_MAX || !param_size) ^ drivers/scsi/ufs/ufshcd.c:3375:2: note: Calling 'ufshcd_map_desc_id_to_length' ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/ufs/ufshcd.c:3325:6: note: 'desc_id' is < QUERY_DESC_IDN_MAX if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 || ^~~~~~~ drivers/scsi/ufs/ufshcd.c:3325:6: note: Left side of '||' is false drivers/scsi/ufs/ufshcd.c:3325:39: note: 'desc_id' is not equal to QUERY_DESC_IDN_RFU_0 if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 || ^~~~~~~ drivers/scsi/ufs/ufshcd.c:3325:6: note: Left side of '||' is false if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 || ^ drivers/scsi/ufs/ufshcd.c:3326:6: note: 'desc_id' is not equal to QUERY_DESC_IDN_RFU_1 desc_id == QUERY_DESC_IDN_RFU_1) ^~~~~~~ drivers/scsi/ufs/ufshcd.c:3325:2: note: Taking false branch if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 || vim +4898 drivers/scsi/ufs/ufshcd.c 57d104c153d3d6 Subhash Jadavani 2014-09-25 4881 57d104c153d3d6 Subhash Jadavani 2014-09-25 4882 /** 57d104c153d3d6 Subhash Jadavani 2014-09-25 4883 * ufshcd_get_lu_power_on_wp_status - get LU's power on write protect 57d104c153d3d6 Subhash Jadavani 2014-09-25 4884 * status 57d104c153d3d6 Subhash Jadavani 2014-09-25 4885 * @hba: per-adapter instance 57d104c153d3d6 Subhash Jadavani 2014-09-25 4886 * @sdev: pointer to SCSI device 57d104c153d3d6 Subhash Jadavani 2014-09-25 4887 * 57d104c153d3d6 Subhash Jadavani 2014-09-25 4888 */ 57d104c153d3d6 Subhash Jadavani 2014-09-25 4889 static inline void ufshcd_get_lu_power_on_wp_status(struct ufs_hba *hba, 57d104c153d3d6 Subhash Jadavani 2014-09-25 4890 struct scsi_device *sdev) 57d104c153d3d6 Subhash Jadavani 2014-09-25 4891 { 57d104c153d3d6 Subhash Jadavani 2014-09-25 4892 if (hba->dev_info.f_power_on_wp_en && 57d104c153d3d6 Subhash Jadavani 2014-09-25 4893 !hba->dev_info.is_lu_power_on_wp) { 57d104c153d3d6 Subhash Jadavani 2014-09-25 4894 u8 b_lu_write_protect; 57d104c153d3d6 Subhash Jadavani 2014-09-25 4895 57d104c153d3d6 Subhash Jadavani 2014-09-25 4896 if (!ufshcd_get_lu_wp(hba, ufshcd_scsi_to_upiu_lun(sdev->lun), 57d104c153d3d6 Subhash Jadavani 2014-09-25 4897 &b_lu_write_protect) && 57d104c153d3d6 Subhash Jadavani 2014-09-25 @4898 (b_lu_write_protect == UFS_LU_POWER_ON_WP)) 57d104c153d3d6 Subhash Jadavani 2014-09-25 4899 hba->dev_info.is_lu_power_on_wp = true; 57d104c153d3d6 Subhash Jadavani 2014-09-25 4900 } 57d104c153d3d6 Subhash Jadavani 2014-09-25 4901 } 57d104c153d3d6 Subhash Jadavani 2014-09-25 4902 :::::: The code at line 4898 was first introduced by commit :::::: 57d104c153d3d6d7bea60089e80f37501851ed2c ufs: add UFS power management support :::::: TO: Subhash Jadavani <[email protected]> :::::: CC: Christoph Hellwig <[email protected]> --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/[email protected]
.config.gz
Description: application/gzip
_______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
